Posts by caperjack

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

PS: I went to you web site ,you have more problems than spyware [you have no top for one of your outfits]!LOL :)

Don't know what to tell you ,
Delete the temp internet files ,in IE tools and then run hijack and fix all the bad ones that returned ,as per the instructions in my other post ..

Your welcome !

After all that i found the orignal on a open fourm I do believe .

http://forums.subratam.org/index.php?showtopic=583

Sorry i don't have time to night I off to bed .but if one of the other log readers have time please feel free to do so .You might want to run the free online virus scan in my signature,while you are waiting .

This is the content of the post that followed the above ,this comment is by SharowWar.

-Its now updated to target both searchx dll's

After this is run all you need is shredder or clean the remnants with hijackthis.
you should see the 02 with the dll missing now.
Also improved the registry routines and improved dealing with locked files also.

Should now work a lot better!

I don't think the images are needed but i will add the rest in this post ,they are in order except i didn't put in image 2,so count 1 3 4 5 6 in first post and 7 8 9 ,10 in this post

This is the text of the Instructions givin in the link in my other post . with out the Images ,if you run the program as instructed ,you would see the images .

Hello ,

This is a fix for the hidden cws dll buried in appinit value
in the registry. This does not fix the visible hijack itself
yet. You will have this if you keep getting reinfected
with searchx according to shredder.
Example these lines with the random dll hijack:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\faip.dll/sp.html (obfuscated)

O2 - BHO: (no name) - {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}} - C:\WINDOWS\System32\faip.dll

NOTE: CLASSID IS RANDOM.

Redirected to Linklist.cc or Real-Yellow-pages.
This only fixes the hidden dll.
-------------------------------------

Step 1. Download the file from
http://downloads.subratam.org/dllfix.exe
or
http://tools.zerosrealm.com/dllfix.exe
and save it in a place you like.

Figure 1.

-----------------------------
Step 2. The file when downloaded will be dllfix.exe.

Figure 2.

-----------------------------
Step 3. Double-Click or Open the self-extracting file. It will ask for installation and change location. Please Keep it in BOOT drive and not in any place else. Preferable in Desktop.

Figure 3.

-----------------------------
Step 4. Navigate to the folder with the contents of the file. You will see there are two more folders inside and …

By inner workings do you mean a demo on how to use the program .

I don't think this link will work because it from a closed Section within a open fourm .
http://forums.spywareinfo.com/index.php?showtopic=3393&hl=dllfix

WOW! Start with these 3 programs.

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then these 2 programs .
Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

reboot computer and post a new log

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - D:\JURIS\PROGRAMS\FRESHDOWNLOAD\FDCATCH.DLL (file missing)

These 2 are not spyware but are rescource hog's and not needed in startup suggested fixes
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Unless you had Spy-Bot set these ,fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

reboot computer and post a new log

SpyFerret makes the list of bad spyware removers.It will report bad stuff to fix trying to get you to pay for the program .Why pay when there are free one that are much better .
http://www.spywarewarrior.com/viewtopic.php?t=68

Might I suggest Ad-Aware and Spybot ,I see you allready use spy-bot ,trust what it want to fix as its one of the best , so give ad-aware a whirl.

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Hi there thanks for the tips

but i dont hva eie listed in add rmoved programs so cant repair it

It is in add remove programs ,in the left colum click on Add remove windows components ,there you will find IE

my system is hp510n 512 mb ram 40 gb hard drive. i can open ms explorer and nero, mirc fine. but i cannot open my computer or hp pavillion or i.e. my desktop keeps shutting down due to error. i try all three options but they dont restore my active desktop. when i try to open the apps that i mentioned all my desktop icons disappear for one or two miutes and the desktop shutdown screen reappears. registry mechanic is the only program i have recently downloaded. i have tried system restore but it wont restore my computer to an earlier time. thank you.

Are you set up with just one user acount ,If so have you tried creating a new user acct in control panel /users .
To see if it has the same troubles !

correct me if I'm wrong but does this not mean that MSCONFG is in action and some programs are set not to run at startup.meaning not all bad programs are shown in the log .
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

.........OOPS!.....missed that.:)

Sorry, that my Dyslexia,Acting up !

LOL. I"m a single dad & have the same trouble with my 15 year old daughter. Funny that, eh?

You one up one me! [or down]I also have a Wife who wants here turn on the Machine too!:)

Your welcome .glad to have helped !

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

Your log looks good just these 2 they are not needed in startup,and are rescorce hogs and suggested fixes .

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

Also check How I got infected ,in my signature and use the suggested programs .I use all 3 myself .great results .

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

Then these 2 programs .
Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

reboot computer and post a new log

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.e-finder.cc/hp/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL

This is a suggested fix because it a rescorce hog and not needed in startup.
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?

O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?

Now reboot …

Yeah ,when I use it, I use Firefox.

I don't thing you'll find that tweek any where !

Edit:Posted about the same time ,good Morning Mad-dog
Give this one atry ,one of the best alternatives out there !
http://www.mozilla.org

This is a great little program to clost the thing running so you can run scandisk and defrag .
http://home.ptd.net/~don5408/toolbox/enditall/

No! not I .................

You can,t change the content of a file on any all ready written CD,unless its a CD-RW and the chances of that being are almost Nill!

I have a different ? How much did the tech charge to format and reload you computer.
Local computer store here charges 40$tax included .I charge 25$making some mone on the side !!

........................................:)
Edit: I reread you post anf had to change my first response!
I don't know what is....!

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

did you try hooking a serial mouse to the laptop to see if that works

Location: My house
OS: Windows 98

I have a computer that is messed up!
We had to get a new one because this one was so bad. What happend was ablout every few hrs (mostly when getting on the Internet) a million popups would come up, one after the other and when you closed one, 10 more would pop up. Eventually the computer would be low on resources and then I would have to shut the computer down.

Anyone know what on Earth is causing this?

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

You Have A Variant of the CoolWebSearch Trojan.
After you download and run the program recomended by DMR do the following .

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

I will post the fix here also incase others read this and need the fix ,You didn't really need to start another post just because it was getting long.

run hijack again and fix this .
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

this is a quote from anothe fourm :That is a startup item for some tutorial for the audigy sound card. It only seems to affect Dell computers. It was common some months ago.

Ok .I did some speed reading [Again] Just like the artical says I never liked newsgroups first or last :)

Try this and post back hijackthis log

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

Download the latest version of Ad-Aware at ADAWARE

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Download 'Hijack This!'.HERE

Unzip (extract) it to a folder of its own.Like c:\HJT\hijackthis.exe , Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.

reboot computer and post a new hijackthis log

I never did have any luck with that option,close session but leave cd open . when i use it .I always had to left it open and then finalize it when full.
Now that cd are only about .50 cents each i just burn and close everything .

Who read it ")

I didn't think it was reccommended to run at the highest resolution for a long periods of time !

just a few things that i would fix ,so they don't run at startup if I owned Old Betsy.
I would also uninstall Norton System Works .

O4 - HKLM\..\Run: [RealJukeboxSystray] "D:\REALJUKEBOX\tsystray.exe"

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE

O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Startup: Webshots.lnk = D:\Webshots\WebshotsTray.exe

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = nov

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = nov

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = nov

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = nov

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = nov

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = nov

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)

O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GTAFC5MV\DOCUMENTS.PIF

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GTAFC5MV\DOCUMENTS.PIF ...delete this file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Hey, thankx for the suggestion...

Is there any tutorials that explains this link and how to use it?

Just copy paste the suspected CWS into the search ,to check it to see if your suspected is a CWS variant .

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - Default URLSearchHook is missing

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.DLL

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

Check control panel and uninstall mywesearch if it there
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [kcdwuusc] C:\WINDOWS\hjllkqqx.exe

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [] C:\WINDOWS\System32\

Also in add remove programs and uninstall wildtangent
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - Startup: Download Plus.lnk = …

Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MSXML3A.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSXML3A.DLL +++ File read error

A google search showes these as legit windows files .

I suspect these shortcuts on the desk top may be problems. Can you tell me if they are please? They are:
1). Spider.exe properties lists: C:\WINDOWS\LastGood\System32\spider.exe
2). SetupDl.exe decription says: Win32 Cabinet Self-Extractor
3). Game Channel short cut Target description says "C:\Program Files\WildTangent\Apps\GameChannel\Notifications\{910fa28d-4ecc-41c9-8d7e-d9cbe5047736}\welcome.hta"
__________________

The Spider.exe is a dialer ,search for it and delete, and the others should also be found and deleted

Okay i Checked...There Was A Lot of dust there...and no i didnt get any Error Messages..

So did you blow the dust out !

Click start ,lower left corner ,go to all progrms/Startup folder ,and check to see if its there ,loading at startup ,if so right click and delete it

with the text after a second or two?

just how much fasted do you want them to open .LOL
Actuall mine open almost instantly .About a second or 2 .LOL
I searched the net for the past 20 min and cant find any info !

Yeah follow the fix instruction from above and fix it .
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install
Reboot an d delete this dll file C:\WINDOWS\SDKQH32.DLL